Biometric authentication device and method

ABSTRACT

A biometric authentication device includes: a memory; and a processor coupled to the memory and configured to: determine, when authentication with first biometric information has been successful, whether second biometric information different from the first biometric information is from a user corresponding to the first biometric information using a determining method corresponding to one of a plurality of security levels, the determining method being selected from among a plurality of determining methods based on the one of the plurality of security levels, and register, when the second biometric information has been determined to be from the user, the second biometric information associated with the user.

CROSS-REFERENCE TO RELATED APPLICATION

This application is based upon and claims the benefit of priority fromthe prior Japanese Patent Application No. 2013-089058 filed on Apr. 22,2013, the entire contents of which are incorporated herein by reference.

FIELD

The embodiments discussed herein are related to biometricauthentication.

BACKGROUND

There are more and more cases in biometric authentication systems where,in addition to an already-registered biometric information, usersregister and use new biometric information, in order to handle increasein users of biometric authentication systems, improve the rate ofhandling users, and so forth. Security in such a situation, to confirmthat the person inputting biometric information to be newly registeredis the same person as the registrant of registered biometricinformation, is important.

There has been prior art for ensuring that new and old biometricinformation are biometric information derived from the same person (forexample, Japanese Laid-open Patent Publication No. 2011-123532 andJapanese Laid-open Patent Publication No. 2012-208682), such as art forautomatically registering new biometric information in a biometricauthentication device based on multiple numbers of times ofauthentication results, art for ensuring that two pieces of biometricinformation are derived from the same person, based on positionalrelation between a fingerprint image and a palm image, and so forth.

SUMMARY

According to an aspect of the invention, a biometric authenticationdevice includes: a memory; and a processor coupled to the memory andconfigured to: determine, when authentication with first biometricinformation has been successful, whether second biometric informationdifferent from the first biometric information is from a usercorresponding to the first biometric information using a determiningmethod corresponding to one of a plurality of security levels, thedetermining method being selected from among a plurality of determiningmethods based on the one of the plurality of security levels, andregister, when the second biometric information has been determined tobe from the user, the second biometric information associated with theuser.

The object and advantages of the invention will be realized and attainedby means of the elements and combinations particularly pointed out inthe claims.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory and arenot restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1A is a block diagram for describing a hardware configuration of abiometric authentication device according to a first embodiment, andFIG. 1B is a schematic diagram of a living body sensor;

FIG. 2 is a block diagram of the functions to be realized by executionof a biometric authentication program;

FIG. 3 is a flowchart representing an example of additional registrationprocessing;

FIG. 4 is an example of a flowchart to be executed at the time ofacquiring a checkpoint list;

FIG. 5 is a diagram representing an example of points to be checkedstored in a database or the like;

FIG. 6A is a schematic diagram in the case that a palm is held up to theliving body sensor in parallel with the living body sensor, and FIG. 6Bis a diagram representing a fingerprint image and a palm vein imageacquired by the living body sensor;

FIG. 7A is a schematic diagram in the case that the palm is separatedfrom the living body sensor, and FIG. 7B is a diagram representing afingerprint image and a palm vein image acquired by the living bodysensor;

FIG. 8A is a schematic diagram in the case that the index finger isseparated from the living body sensor, and FIG. 8B is a diagramrepresenting a fingerprint image and a palm vein image acquired by theliving body sensor;

FIG. 9 is a created table representing relevance between palminclination and the area of a fingerprint image;

FIG. 10A and FIG. 10B are diagrams representing distance from the baseof a finger to a fingerprint center position;

FIG. 11 is a block diagram for describing a hardware configuration of abiometric authentication device according to a second embodiment;

FIG. 12 is a block diagram of the functions to be realized by executionof a biometric authentication program according to the secondembodiment;

FIG. 13 is a flowchart representing an example of additionalregistration processing according to the second embodiment;

FIG. 14 is a diagram representing an example of a flowchart according toa first modification;

FIG. 15 is a diagram representing an example of a flowchart according toa second modification;

FIG. 16 is a diagram for describing an example in which a random code isused;

FIG. 17 is a function block diagram to be realized by execution of abiometric authentication program according to a third embodiment;

FIG. 18 is a flowchart to be executed at the time of checkpoint listacquisition processing;

FIG. 19 is an example of checkpoint candidates;

FIG. 20 is an example in which the biometric authentication deviceaccording to the first embodiment is realized by a biometricauthentication system;

FIG. 21A, FIG. 21B, FIG. 21C, and FIG. 21D are hardware configurationdiagrams of the biometric authentication system in FIG. 20;

FIG. 22 is an example in which the biometric authentication deviceaccording to the second embodiment is realized by a biometricauthentication system;

FIG. 23A, FIG. 23B, FIG. 23C, and FIG. 23D are hardware configurationdiagrams of the biometric authentication system in FIG. 22; and

FIG. 24 is an example in which the biometric authentication deviceaccording to the third embodiment is realized by a biometricauthentication system.

DESCRIPTION OF EMBODIMENTS

A biometric authentication device is used even in an environment whereuse by many users is assumed, such as personal authentication in a localgovernment or the like. It is not realistic from an aspect ofconvenience to cause a user to perform authentication multiple times insuch an environment, such as in the prior art.

Also, it is common that security levels demanded from biometricauthentication devices differ depending on the biometric authenticationdevices. Accordingly, when ensuring that new and old biometricinformation are derived from the same person at the time of registeringnew biometric information, it is desirable that accuracy of securitythereof may be changed depending on security levels. However, such acase has not been assumed in the prior art.

It is an object of an aspect to improve authentication accuracy that newand old biometric information are derived from the same person withaccuracy according to the security level of a biometric authenticationdevice.

The art disclosed in the embodiments enables improvement inauthentication accuracy that new and old biometric information arederived from the same person with accuracy according to the securitylevel of a biometric authentication device in which registrationopportunities for new and old biometric information are restricted.

First, terminologies to be used in the following embodiments will bedescribed. Instances are units of a living body to be used forauthentication, for example, such as fingers, palms, face, eyes, and soforth. Accordingly, a finger and a palm are different instances. Also, amiddle finger and an index finger are also different instances, and theleft eye and right eye are also different instances. Modalities arekinds of living body features, for example, such as a fingerprint, avein, an iris, a face shape, a palm shape, and so forth. Accordingly, afingerprint and a vein of the same finger are different modalities.

Biometric information is information relating to a living body, andincludes living body features representing individual features of aliving body, and so forth. Different kinds of biometric information area plurality of biometric information of which at least any one or moreof modalities, instances, acquisition methods, and authenticationmethods differ. Examples of different modalities include a case whereexisting biometric information is a fingerprint, and new biometricinformation is a palm vein. Also, examples of different acquisitionmethods include a case where existing biometric information is thefingerprint of a third finger acquired at a contact-type fingerprintsensor, and new biometric information is the fingerprint of an indexfinger acquired at a noncontact-type fingerprint sensor. Further,examples of different authentication methods include a case whereexisting biometric information is the fingerprint of an index finger,new biometric information is the fingerprint of another finger, and bothare acquired by the same fingerprint sensor, but the authenticationmethod in the case of employing the fingerprint of the index fingerdiffers from the authentication method in the case of employing thefingerprint of the other finger. For example, an index finger, a thumb,and a little finger greatly differ in the finger width, and accordingly,the authentication methods of both may differ. Also, an index finger andanother finger differ in easiness of fingerprint input, and accordingly,the authentication methods of both may differ.

Hereinafter, embodiments will be described with reference to theappended drawings.

First Embodiment

FIG. 1A is a block diagram for describing a hardware configuration of abiometric authentication device 100 according to a first embodiment.FIG. 1B is a schematic diagram of a later-described living body sensor105. As illustrated in FIG. 1A, the biometric authentication device 100includes a CPU 101, RAM 102, a storage device 103, a display device 104,a living body sensor 105, a communication unit 106, attributeinformation acquisition unit 107, and so forth. These units areconnected by a bus or the like.

The CPU (Central Processing Unit) 101 is a central processing unit. TheCPU 101 includes one or more cores. The RAM (Random Access Memory) 102is volatile memory configured to temporarily store a program that theCPU 101 executes, data that the CPU 101 processes, and so forth.

The storage device 103 is a nonvolatile storage device. Examples of thestorage device 103 includes (ROM) read only memory, a solid state drive(SSD) such as flash memory or the like, and a hard disk to be driven bya hard disk drive. A biometric authentication program according to thepresent embodiment is stored in the storage device 103. The displaydevice 104 is a liquid crystal display, electroluminescence panel, orthe like, and displays results of later-described additionalregistration processing, and so forth.

The living body sensor 105 is a sensor configured to detect biometricinformation of a user, and detects multiple different kinds of biometricinformation. The living body sensor 105 according to the presentembodiment acquires a fingerprint image of multiple fingers as existingbiometric information, and also acquires a palm vein image as newbiometric information. That is to say, the living body sensor 105acquires different modalities such as fingerprints and veins withdifferent instances such as multiple fingers and a palm as objects.

As illustrated in FIG. 1B, the living body sensor 105 includes anexisting biometric information acquisition unit 108 and a new biometricinformation acquisition unit 109. The existing biometric informationacquisition unit 108 is an optical sensor or electrostatic capacitysensor or the like, and acquires a fingerprint image of two or morefingers. Either one of a contact type and a noncontact type may beemployed as the existing biometric information acquisition unit 108. Theexisting biometric information acquisition unit 108 according to thepresent embodiment acquires fingerprints of the three fingers of anindex finger, a middle finger, and a third finger. Examples of the newbiometric information acquisition unit 109 include a CMOS (ComplementaryMetal Oxide Semiconductor) camera. The new biometric informationacquisition unit 109 acquires a palm vein image using near infraredrays.

Note that, in order to extract biometric information of the same personin a stable manner, it is desirable that the existing biometricinformation acquisition unit 108 and new biometric informationacquisition unit 109 are mutually fixedly disposed. Also, it isdesirable that existing biometric information and new biometricinformation are acquirable at the same time. For example, it isdesirable that the existing biometric information acquisition unit 108and new biometric information acquisition unit 109 are fixedly disposedwithin predetermined distance L, and a fingerprint image and a palm veinimage are acquirable at the same time. The distance L is, for example,several centimeters to about 10 centimeters, which will fit in the sizeof a normal palm.

The communication unit 106 is, for example, a connection interface for aLAN (Local Area Network) or the like. The attribute informationacquisition unit 107 is an input device such as a keyboard, mouse, orthe like, and is, for example, a device configured to input an ID foridentifying a user, or the like.

The biometric authentication program stored in the storage device 103 isloaded to the RAM 102 in an executable manner. The CPU 101 executes thebiometric authentication program loaded in the RAM 102. Thus, theprocesses according to the biometric authentication device 100 areexecuted. Registration processing, matching processing, additionalregistration processing, and so forth are executed by the biometricauthentication program being executed.

The registration processing is processing in which existing biometricinformation acquired at the living body sensor 105 is registered in adatabase or the like in a manner correlated with each user. The matchingprocessing is processing in which, in the case that similarity between auser's biometric information acquired by the living body sensor 105 andregistered biometric information, or the like is equal to or greaterthan a threshold value, determination is made that this user is the sameperson as a registered user. The additional registration processing isprocessing in which new biometric information of a user whose existingbiometric information has been registered is additionally registered ina manner correlated with this user.

Examples of the additional registration processing include a case ofhandling increase in the number of users. The number of users of abiometric authentication device tends to increase, and higherauthentication accuracy than ever than before is demanded. In order tosolve this, authentication accuracy may be improved by adding newbiometric information to existing biometric information. Another exampleof the additional registration processing is a case of adding a doubleregistration check function. In order to implement a double registrationcheck for confirming whether or not a user of the biometricauthentication device has doubly been registered, there has to beperformed 1:N authentication in which the registration data of each useris matched with all other registered data. In general, in order toimplement 1:N authentication, there is obtained higher authenticationaccuracy than that of 1:1 authentication in which authentication isperformed by matching one registration data correlated withidentification information, with input matching data with 1:1. In orderto solve this, authentication accuracy may be improved by adding newbiometric information to existing biometric information. Another exampleof the additional registration processing is a case of performingmeasures for improvement in the rate of handling users. That is to say,in this case, the handling rate is improved by adding other newbiometric information with easy authentication to existing biometricinformation for a user whose authentication is difficult with thisexisting biometric information alone.

FIG. 2 is a block diagram of the functions to be realized by executionof the biometric authentication program. According to execution of thebiometric authentication program, there are realized a checkpoint listmanagement unit 11, a checkpoint list acquisition unit 12, anauthentication data creation unit 13, a matching processing unit 14, anoutput unit 15, a checkpoint processing unit 16, a same persondetermining unit 17, a registration data creation unit 18, a database19, and so forth.

(Additional Registration Processing)

FIG. 3 is a flowchart representing an example of additional registrationprocessing. First, the checkpoint list acquisition unit 12 acquires acheckpoint list in which points to be checked that are implemented forconfirming that existing biometric information and new biometricinformation are biometric information derived from the same person (stepS1).

FIG. 4 is an example of a flowchart to be executed at the time ofacquiring a checkpoint list. The checkpoint list management unit 11displays practicable points to be checked on the display device 104 withreference to FIG. 4 (step S11). The points to be checked are stored inthe database 19 or the like. The checkpoint list acquisition unit 12acquires points to be checked decided according to a security level tocreate a checkpoint list (step S12). According to execution of theabove-described steps, the points to be checked are acquired.

FIG. 5 is a diagram representing an example of points to be checkedstored in the database 19 or the like. As illustrated in FIG. 5, thepoints to be checked are correlated with a method for determining thatexisting biometric information and new biometric information arebiometric information of the same person. Also, the points to be checkedare correlated with a confirmation level of the biometric authenticationdevice 100. The confirmation level is a security height level.

The checkpoint list to be acquired may include a sequence to implementpoints to be checked. Also, the checkpoint list acquisition unit 12 mayenable a combination alone satisfying the confirmation level of thebiometric authentication device 100 to be acquired when theadministrator selects points to be checked. For example, theadministrator of the biometric authentication device 100 or a developerof the biometric authentication device 100 previously determines aconfirmation level for each point to be checked. In the case thatsummation of the confirmation levels of the points to be checkedselected by the administrator is equal to or greater than theconfirmation levels of the biometric authentication device 100, thecheckpoint list acquisition unit 12 determines that this combination isa combination satisfying the confirmation level, and enables thecheckpoint list to be acquired.

As illustrated in FIG. 3, next, the attribute information acquisitionunit 107 acquires attribute information of the user (step S2). Examplesof the attribute information include the user name of a user, and anidentification symbol specific to a user. Next, the existing biometricinformation acquisition unit 108 acquires existing biometricinformation, and the new biometric information acquisition unit 109acquires new biometric information at the same time (steps S3 and S4).Thereafter, the authentication data creation unit 13 createsauthentication data from the acquired existing biometric information.Examples of the authentication data include, in the case that existingbiometric information is a fingerprint, the ridge pattern of afingerprint, and the position information of a minutia.

Thereafter, the matching processing unit 14 performs matching processingbetween the authentication data and the registration data registered inthe database 90 to determine whether or not the matching has beensuccessful (step S5). At this time, in the case that attributeinformation has also been acquired, there may be executed 1:1 matchingin which the authentication data is matched with registration data alonecorrelated with the attribute information. Examples of the matchingprocessing by the matching processing unit 14 include fingerprintpattern matching processing, and minutia matching processing. In thecase that determination is made as result of the matching processingthat the authentication data agrees with one registration data, thematching processing unit 14 outputs an authentication successful resultthat the user of the authentication data is an already registeredregular user. Also, in the case that determination is made that there isno registration data agreeing with the authentication data, the matchingprocessing unit 14 outputs an authentication failure that the user ofthe authentication data is not an already registered regular user.

In the case that the result by the matching processing unit 14 is anauthentication failure, the output unit 15 displays a message to theeffect that authentication has failed, on the display device 104.Thereafter, the additional registration processing is ended withoutadditionally registering new biometric information (step S6). In thecase that the result by the matching processing unit 14 is anauthentication success, the output unit 15 displays a message to theeffect that authentication has succeeded, on the display device 104.Also, a system configured to enable a certain application to be executedaccording to an authentication success may execute the application inthe case of an authentication success. Further, a system configured toissue a permit for login or entering/leaving management according to anauthentication success may issue a permit in the case of anauthentication success. Next, the checkpoint processing unit 16 startspersonal authentication processing with points to be checked included inthe checkpoint list acquired by the checkpoint list acquisition unit 12.

Hereinafter, description will be made regarding an example of the pointsto be checked of the present embodiment, and a method for the sameperson determining unit 17 determining that existing biometricinformation and new biometric information are derived from the sameperson, using the points to be checked thereof. Description will be madein the present embodiment regarding a method for determining whether ornot existing biometric information and new biometric information arederived from the same person using a positional relation between animaged region of fingerprints acquired by the existing biometricinformation acquisition unit 108, and an imaged region of a palmacquired by the new biometric information acquisition unit 109. Notethat, in the case that each of the existing biometric informationacquisition unit 108 and new biometric information acquisition unit 109consecutively enables a fingerprint image and a palm vein image to beshot multiple numbers of times, multiple checkpoint results may beobtained with a series of operations by instructing a user to assumemultiple postures during shooting thereof.

A fluctuation research with various input postures will be described asa first example of points to be checked. When a user inputs newbiometric information and existing biometric information to the livingbody sensor 105, the checkpoint processing unit 16 displays aninstruction message on the display device 104 so as to input newbiometric information and existing biometric information with variouspostures of the hand. The user inputs new biometric information andexisting biometric information in accordance with the instructionthereof. Examples of various postures of the hand include a posture witha palm being raised, and a posture with a certain finger being separatedfrom the existing biometric information acquisition unit 108.

FIG. 6A is a schematic diagram in the case that a palm is held up to theliving body sensor 105 in parallel with the living body sensor 105. FIG.6B is a diagram representing a fingerprint image and a palm vein imageacquired by the living body sensor 105. On the other hand, in the casethat the user has input fingerprints and a palm vein with a postureraising a palm (separated from the new biometric information acquisitionunit 109) as illustrated in FIG. 7A, a fingerprint image has a smallerarea than that in a usual case as illustrated in FIG. 7B. Also, a palmvein image is reflected such that the wrist side is small as illustratedin FIG. 7B. Alternatively, in the case that the user has inputfingerprints and a palm vein with a posture separating an index fingerfrom the existing biometric information acquisition unit 108 asillustrated in FIG. 8A, a fingerprint image is reflected excluding theindex finger portion as illustrated in FIG. 8B. Also, a palm vein imageis reflected such that the index finger alone has narrower width. Also,in the case that the palm vein image has grayscale, the luminance valueof the color of the base of the finger is lower than that of the base ofanother finger.

In the case of a posture raising a palm, the same person determiningunit 17 calculates a palm inclination from new biometric informationactually acquired, and calculates the ratio of a fingerprint area fromexisting biometric information. The ratio of the fingerprint area iscalculated as a ratio in the case that the palm inclination is 0degrees, that is, in the case that an ordinary input case is taken as 1.Next, the same person determining unit 17 compares the ratio of thefingerprint area as to the palm inclination with a value of an alreadycreated correlation table between a palm inclination and the area of afingerprint image such as in FIG. 9, and in the case that differencethereof is difference equal to or lower than a predetermined thresholdvalue, for example, about 0.1, determines that the new biometricinformation and existing biometric information are derived from the sameperson.

Also, in the case of an index finger assuming a posture separated fromthe existing biometric information acquisition unit 108, the same persondetermining unit 17 calculates a ratio by dividing the luminance valueat the time of the index finger being raised by the luminance value ofthe base of an index finger at the time of ordinary input. For example,the luminance value of the base of a finger is obtained as a mean valueof luminance values of a region of the finger base portion. Also, thesame person determining unit 17 calculates the width of each finger atthe time of the index finger being raised. Further, in the case thatthere is no index finger within the fingerprint image, and also, theratio of the luminance value of the finger base is equal to or lowerthan a predetermined threshold value, for example, equal to or lowerthan 70%, and further, in the case that difference between the width ofthe index finger and the width of another finger is equal to or greaterthan a predetermined threshold value, for example, equal to or greaterthan 1 mm, the same person determining unit 17 determines that theexisting biometric information and new biometric information are derivedfrom the same person.

A research of distance between fingerprints and a palm vein will bedescribed as a second example of points to be checked. The checkpointprocessing unit 16 displays on the display device 104 an instruction forthe user to input fingerprints and a palm vein multiple numbers oftimes. The checkpoint processing unit 16 calculates distance of bothfrom a pair of a fingerprint image and a palm vein image acquired ateach input. Examples of distance of both include distance from a fingerbase to a fingerprint center position such as FIG. 10A and FIG. 10B. Thelength of a finger may be calculated by a technique, for example, suchas Japanese Laid-open Patent Publication No. 2012-208682 or the like.The same person determining unit 17 determines that the existingbiometric information and new biometric information are the biometricinformation of the same person if there is no difference equal to orgreater than the threshold value between distances acquired at theinputs.

A case of confirming whether or not a fingerprint image and a palm veinimage have been acquired by a behavior within a movable range of auser's bone structure will be described as a third example of points tobe checked. First, the checkpoint processing unit 16 shoots an image ofthe entirety of a user's hand using either one of the existing biometricinformation acquisition unit 108 and new biometric informationacquisition unit 109. Next, the checkpoint processing unit 16 calculatesa fingertip direction from a fingerprint image. Also, the checkpointprocessing unit 16 calculates a distance from the sensor, theinclination of a palm, and a direction of a finger base from a palm veinimage. Thereafter, the checkpoint processing unit 16 interpolatesinformation between the fingerprint image and palm vein image based oneach piece of information to estimate the posture of the hand at thetime of input. In the case of determining that estimation of the postureof the hand is reproducible with movement within a movable range of thehand estimated from the entire image of the user's hand, the checkpointprocessing unit 16 determines that the images have been input from thesame hand. Examples of determination that the estimation is reproducibleinclude that difference between the lengths of the fingers anddifference between the widths of the fingers obtained from the image ofthe entire hand and the estimation of the posture of the hand are withina predetermined threshold value, and that the fingers of the image ofthe entire hand completely agree with the estimated directions of thefingers of the posture of the hand by rotating the fingers of the imageof the entire hand with the finger bases as the center.

Note that, in the case that the checkpoint list includes multiple pointsto be checked, the same person determining unit 17 performs finaldetermination from the results of the points to be checked (step S7). Inthe case that derivation from the same person has been determined in allof the points to be checked, the same person determining unit 17 finallydetermines that the existing biometric information and new biometricinformation are derived from the same person. Also, in the case thatderivation of the same person has not been determined in any one of thepoints to be checked, even in the case that derivation from the sameperson has been determined in other points to be checked, the sameperson determining unit 17 may finally determine that the existingbiometric information and new biometric information are not derived fromthe same person. In this case, the additional registration processing isended without additionally registering the new biometric information(step S6).

In the case that the same person determining unit 17 has determined thatthe existing biometric information and new biometric information arederived from the same person, with reference to FIG. 3 again, theregistration data creation unit 18 recreates registration data using thenew biometric information (step S7). For example, the registration datacreation unit 18 creates new registration data by adding vein patternsextracted from new biometric information to already registered existingbiometric information. The recreated registration data is saved in thedatabase 19 (step S8).

According to the above processes, registration data with the newbiometric information has additionally been registered. Note that, inthe case that registration data with the new biometric information hasadditionally been registered regarding a certain user, it is desirablein the subsequent authentication processing of the user for the matchingprocessing unit 14 to perform matching even with the new biometricinformation. Also, at the time of adding a palm vein as new biometricinformation, the number of fingers of the fingerprints of existingbiometric information may be changed. In this case, it is desirable forthe registration data creation unit 18 to inhibit the same finger frombeing doubly registered by correlating the type of a finger to be newlyregistered with the type of a finger already registered in theregistration data. Addition of the new biometric information may causechange in the existing biometric information acquired by the existingbiometric information acquisition unit 108. At this time, registrationdata may be recreated using the existing biometric information acquiredtogether with the new biometric information.

According to the present embodiment, a biometric authentication devicein which registration opportunities for new biometric information arerestricted may improve authentication accuracy that the existingbiometric information and new biometric information are derived from thesame person with accuracy corresponding to the security level of thisbiometric authentication device.

Second Embodiment

FIG. 11 is a block diagram for describing a hardware configuration of abiometric authentication device 100 a according to a second embodiment.A point that the biometric authentication device 100 a differs from thebiometric authentication device 100 in FIG. 1 is in that a checkpointexternal device 110 is further provided. The checkpoint external device110 is a device configured to perform personal authentication processingwith points to be checked, for example, a camera.

FIG. 12 is a block diagram of the functions to be realized by executionof a biometric authentication program according to the secondembodiment. A point different from FIG. 2 is in that an external deviceresult acquisition unit 20 is further provided. FIG. 13 is a flowchartrepresenting an example of additional registration processing accordingto the present embodiment. A point in FIG. 13 different from theflowchart in FIG. 3 is in that new biometric information is acquired(step S24) after existing biometric information is acquired (step S23).Other processes (steps S21, S22, S25, S26, S27 and S28) are the same aswith the flowchart in FIG. 3.

The external device result acquisition unit 20 images an acquisitionscene at each of the acquisition timing of the existing biometricinformation acquisition unit 108 and the acquisition timing of the newbiometric information acquisition unit 109. The same person determiningunit 17 compares the imaged acquisition scenes to determine whether ornot the input user is the same person. Determination of the same personmay be made using face authentication with a user's face reflected in animage shot by the camera, or a method for acquiring the entire body of auser using a moving image to determine that new biometric informationand existing biometric information are input in chronological order by aseries of motions of the user.

The present embodiment also enables a biometric authentication device inwhich registration opportunities for new biometric information arerestricted to improve authentication accuracy that the existingbiometric information and new biometric information are derived from thesame person with accuracy corresponding to the security level of thisbiometric authentication device.

First Modification

The biometric authentication device 100 a newly employs a new biometricinformation acquisition unit 109 as the checkpoint external device 110.The checkpoint external device 110 is installed in the vicinity of adevice including the existing biometric information acquisition unit108. New biometric information and existing biometric information may beacquired at the same time. As described above, upon acquiring newbiometric information and existing biometric information at the sametime, it is estimated that the authentication accuracy of one piece ofthe biometric information deteriorates in the case that input with anideal posture is difficult, and in the case that there is influence of alight source of another device. However, in the case of authenticationaccuracy that it may be confirmed that the new biometric information andexisting biometric information are derived from the same person, thesame acquisition may be realized.

FIG. 14 is a diagram representing an example of a flowchart to beexecuted at the time of discriminating whether or not the input user isthe same person based on the points to be checked in a configurationaccording to the first modification. The existing biometric informationacquisition unit 108 further acquires existing biometric information(step S31), and the new biometric information acquisition unit 109 usedfor the checkpoint external device 110 acquires new biometricinformation (step S32). Next, the matching processing unit 14 performsmatching between the existing biometric information and the registrationdata (step S33).

The matching processing unit 14 determines whether or not matching withthe existing biometric information acquired in step S31 has beensuccessful (step S34). In the case that “No” has been determined in stepS34, the same person determining unit 17 determines that the input useris not the same person (step S35). In the case that “Yes” has beendetermined in step S34, the matching processing unit 14 performsmatching between the new biometric information acquired in step S32 andthe new biometric information acquired (step S24 in FIG. 13) beforestarting the processing illustrated in FIG. 14 (step S36). The matchingprocessing unit 14 determines whether or not the matching in step S36has been successful (step S37). In the case that “No” has beendetermined in step S37, the same person determining unit 17 determinesthat the input user is not the same person (step S35). In the case that“Yes” has been determined in step S37, the same person determining unit17 determines that the input user is the same person (step S38).Thereafter, the personal authentication processing with the points to bechecked is ended.

According to the present modification, the existing biometricinformation acquisition unit 108 and new biometric informationacquisition unit 109 acquire existing biometric information and newbiometric information at the same time respectively, wherebydetermination may be made regarding whether or not the existingbiometric information and new biometric information are derived from thesame person.

Second Modification

The biometric authentication device 100 a newly uses the new biometricinformation acquisition unit 109 as the checkpoint external device 110.The new biometric information acquisition unit 109 may acquire newbiometric information and existing biometric information to use suchinformation for confirming that such information are derived from thesame person. Alternatively, the biometric authentication device 100 anewly uses the existing biometric information acquisition unit 108 asthe checkpoint external device 110. The existing biometric informationacquisition unit 108 may acquire new biometric information and existingbiometric information to use such information for confirming that suchinformation are derived from the same person.

FIG. 15 is a diagram representing an example of a flowchart to beexecuted at the time of performing personal authentication processingwith the points to be checked in a configuration according to the secondmodification. The processing with the points to be checked will bedescribed with reference to FIG. 15. The checkpoint external device 110acquires existing biometric information (step S41), and also acquiresnew biometric information (step S42). For example, in the case that theface is taken as new biometric information, and a fingerprint is takenas existing biometric information, the user brings the finger right nextto the face. Next, a camera which shoots the face image serving as thenew biometric information shoots a fingerprint at the same time as theface.

At this time, in order to indicate that the face and fingerprint areinput from the same person, the camera shoots the user while adjusting azoom function. The camera gradually zooms in on the vicinity of the faceand fingerprint from a state in which the upper half entire body of theuser is reflected. The camera finally zooms in a position where thefingerprint is reflected as large as possible, and also the facialcontour is viewed. Alternatively, the user gradually approaches thecamera from a position where the upper half entire body may be shot. Thecamera may shoot scenes during that span. The user finally approaches aposition where the fingerprint is reflected as large as possible, andalso the facial contour is reflected.

The camera acquires a series of images with a predetermined interval,and acquires from an image of the user's upper body to an image in whichthe facial contour and fingerprint are reflected. It is desirable thatthe predetermined interval for acquiring an image by the camera is ashort period of time, for example, such as equal to or less than onesecond so as to inhibit the fingerprint from being replaced with anotherfingerprint during a series of operations.

The new biometric information acquisition unit 109 extracts afingerprint region from an image including the widest fingerprint regionout of images, and acquires this as existing biometric information.Also, the new biometric information acquisition unit 109 extracts a faceregion alone from an image where the entire face is reflected and alsothe area of the face region is the maximum, out of the images, andacquires this as new biometric information.

The same person determining unit 17 first confirms that the fingerprintand face image have been input from the same person using the imagesacquired at the camera. First, the same person determining unit 17extracts the region of the user's body from an image where the upperhalf body is reflected. If the positions of the hand and face areincluded in the same body region, the same person determining unit 17determines that the face and fingerprint have been input from the sameperson in the image the upper half body is reflected, and continues theprocessing. If there is an image where the face and fingerprint have adifferent body region, the same person determining unit 17 determinesthat the fingerprint has been input from a different person, andrequests the same operation again, or ends the same person determinationprocessing.

Next, if fluctuation is less than a predetermined value at the shortestdistance between the fingerprint and the facial contour in all imagesshot by the camera, the same person determining unit 17 determines thatthe face and fingerprint have been input from the same person in all ofthe images, and continues the processing. In the case of an image wherethe above fluctuation is equal to or greater than a predetermined value,the same person determining unit 17 determines that the face andfingerprint have been input from different persons, and requests thesame operation from the beginning again, or ends the personalauthentication processing with the points to be checked. The abovepredetermined value may be set to about 10 cm, for example.

Next, the matching processing unit 14 performs matching between theexisting biometric information and the registration data (step S43). Thematching processing unit 14 determines whether or not the matching withthe existing biometric information acquired in step S41 has beensuccessful (step S44). In the case that “No” has been determined in stepS44, the same person determining unit 17 determines that the face andfingerprint have not been input from the same person (step S45). In thecase that “Yes” has been determined in step S44, the matching processingunit 14 performs matching between the new biometric information and newbiometric information acquired (step S24 in FIG. 13) before starting theprocessing illustrated in FIG. 15 (step S46). The matching processingunit 14 determines whether or not the matching in step S46 has beensuccessful (step S47). In the case that “No” has been determined in stepS47, the same person determining unit 17 determines that the face andfingerprint have not been input from the same person (step S45). In thecase that “Yes” has been determined in step S47, the same persondetermining unit 17 determines that the face and fingerprint have beeninput from the same person (step S48). Thereafter, the personalauthentication processing with the points to be checked is ended.

Third Modification

The biometric authentication device 100 a may employ a pulse sensor suchas a pulse oximeter or the like as the checkpoint external device 110.For example, when the new biometric information acquisition unit 109acquires new biometric information, the checkpoint external device 110measures the pulse of an instance or circumference thereof where the newbiometric information is acquired, and when existing biometricinformation is acquired, measures the pulse of an instance orcircumference thereof where the existing biometric information isacquired, and if both pulses agree, determination may be made that thenew biometric information and existing biometric information are derivedfrom the same person.

Fourth Modification

The biometric authentication device 100 a may employ a device configuredto decide, save, or display a random code as the checkpoint externaldevice 110. The present modification will be described with reference toFIG. 16. The checkpoint external device 110 is provided to the existingbiometric information acquisition unit 108, and displays a random code.The display position of the random code is positioned in an imageablerange of the new biometric information acquisition unit 109. When theexisting biometric information acquisition unit 108 acquires existingbiometric information, the checkpoint external device 110 decides anddisplays one random code. The new biometric information acquisition unit109 images the random code together with the new biometric information.In the case that the random code imaged together with new biometricinformation agrees with the random code displayed at the time ofacquiring the existing biometric information, determination may be madethat the new biometric information and existing biometric informationare derived from the same person.

Third Embodiment

FIG. 17 is a function block diagram to be realized by execution of abiometric authentication program according to a third embodiment. Abiometric authentication device 100 b according to the third embodimenthas the same device configuration as with the first embodiment. A pointthat the functions in FIG. 17 differs from the functions in FIG. 2 is inthat a checkpoint candidate creation unit 21 is newly provided. At thetime of the additional registration processing, the same processing aswith FIG. 3 is performed. However, at the time of checkpoint listacquisition processing, the flowchart in FIG. 18 is executed as anexample.

The checkpoint list management unit 10 displays practicable points to bechecked (step S51). Thereafter, the checkpoint candidate creation unit21 extracts only suitable points to be checked according to an useenvironment of the biometric authentication device 100 b, and createscheckpoint candidates of which the priorities are arrayed in adescending order. In order to create checkpoint candidates, thebiometric authentication device 100 b determines a confirmation level ofwhich the higher the value is, the higher reliability of the point to bechecked, implementation time, a total data size used for determinationof derivation of the same person, and so forth for each point to bechecked beforehand.

At the time of creating checkpoint candidates, the checkpoint candidatecreation unit 21 creates checkpoint candidates as illustrated in FIG. 19in which practicable points to be checked are arrayed in a descendingorder of confirmation levels in the case of an environment whereimportance is placed on security. Alternatively, in the case thatadditional registration time per one person has to be suppressed to theminimum in an environment with many users, the checkpoint candidatecreation unit 21 creates checkpoint candidates with points to be checkedbeing arrayed in an ascending order of execution time. Alternatively, inthe case that the size of data to be saved has to be suppressed to theminimum in an environment with many users, the checkpoint candidatecreation unit 21 creates checkpoint candidates with points to be checkedbeing arrayed in an ascending order of total data sizes used fordetermination of derivation from the same person. In the case that thebiometric authentication device 100 b has to have a predeterminedconfirmation level, the checkpoint candidate creation unit 21 may createcheckpoint candidates with a combination of points to be checked so asto satisfy a predetermined confirmation level. Also, the administratormay correct the checkpoint candidates by inputting points to beprioritized from the administrator terminal.

The checkpoint list acquisition unit 12 acquires points to be checkedselected from the checkpoint candidates by the administrator, andcreates a checkpoint list (step S53). According to execution of theabove steps, the points to be checked have been acquired.

According to the present embodiment as well, a biometric authenticationdevice in which registration opportunities for new biometric informationare restricted may improve authentication accuracy that the existingbiometric information and new biometric information are derived from thesame person with accuracy corresponding to the security level of thisbiometric authentication device.

Other Examples

Though an example in which the functions are provided to the singlebiometric authentication device has been described in theabove-described embodiments, the functions are not restricted to thesingle biometric authentication device. For example, the functions inthe first embodiment may be distributed to a terminal, a server, and soforth. FIG. 20 is an example in which the biometric authenticationdevice 100 according to the first embodiment is realized by a biometricauthentication system including multiple terminals and a server. Theauthentication data creation unit 13 and output unit 15 may be realizedwithin a user terminal 30 including the attribute informationacquisition unit 107, existing biometric information acquisition unit108, and new biometric information acquisition unit 109. The checkpointlist management unit 11 and checkpoint list acquisition unit 12 may berealized within an administrator terminal 40. The matching processingunit 14 may be realized within an authentication server 60 including adatabase 70. The checkpoint processing unit 16, same person determiningunit 17, and registration data creation unit 18 may be realized within aregistration terminal 50 including the attribute information acquisitionunit 107, existing biometric information acquisition unit 108, and newbiometric information acquisition unit 109.

FIG. 21A, FIG. 21B, FIG. 21C, and FIG. 21D are hardware configurationdiagrams of the biometric authentication system in FIG. 20. The userterminal 30 in FIG. 21A includes a CPU, RAM, a storage device, a displaydevice, a living body sensor, a communication unit, an attributeinformation acquisition unit, and so forth. This living body sensorincludes the existing biometric information acquisition unit 108 and newbiometric information acquisition unit 109. The administrator terminal40 in FIG. 21B includes a CPU, RAM, a storage device, a display device,a communication unit, and so forth. The registration terminal 50 in FIG.21C includes a CPU, RAM, a storage device, a display device, a livingbody sensor, a communication unit, and so forth. This living body sensorincludes the existing biometric information acquisition unit 108 and newbiometric information acquisition unit 109. The authentication server 60in FIG. 21D includes a CPU, RAM, a storage device, a display device, acommunication unit, and so forth. The biometric authentication programis stored in any one or more devices, and is executed at each device.

FIG. 22 is an example in which the biometric authentication device 100 aaccording to the second embodiment is realized by a biometricauthentication system including multiple terminals and a server. A pointthat FIG. 22 differs from FIG. 20 is in that is in that the externaldevice result acquisition unit 20 is realized within the registrationterminal 50. FIG. 23A, FIG. 23B, FIG. 23C, and FIG. 23D are hardwareconfiguration diagrams of the biometric authentication system in FIG.22. A point that FIG. 23 differs from FIG. 21 is in that the checkpointexternal device 110 is provided in the registration terminal 50. Notethat the checkpoint external device 110 may be provided independentlyfrom the registration terminal 50 via a network.

FIG. 24 is an example in which the biometric authentication device 100 baccording to the third embodiment is realized by a biometricauthentication system including multiple terminals and a server. A pointthat FIG. 24 differs from FIG. 20 is in that the checkpoint candidatecreation unit 21 is realized within the administrator terminal 40. Thehardware configuration is the same as that in FIG. 21.

Note that a fingerprint image serving as existing biometric informationand a palm vein image serving as new biometric information have beenemployed in the above-described embodiments, but mutually differenttypes of biometric information may be employed. Also, as measures forforged fingerprints, a technique for determining whether or not a livingbody is a forged finger, for example, such as Japanese Laid-open PatentPublication No. 2009-238014, may be employed in the above-describedembodiments.

Though the embodiments of the present disclosure have been described indetail, the present disclosure is not restricted to such particularembodiments, various modifications and changes may be made withoutdeparting from the essence of the present disclosure described in theclaims.

What is claimed is:
 1. A biometric authentication device comprising: amemory; and a processor coupled to the memory and configured to:generate first biometric information based on a first image of a livingbody portion, generate second biometric information based on a secondimage of another living body portion, when authentication with the firstbiometric information has been successful, identify a positionalrelation between the living body portion and the another living bodyportion using a method from among a plurality of methods, determinewhether or not the positional relation satisfies a condition, determinethe second biometric information is from a user corresponding to thefirst biometric information when it is determined that the positionalrelation satisfies the condition, and register the second biometricinformation associated with the user, wherein the plurality of methodsinclude a first method for determining an inclination of the anotherliving body portion as to an imaging plane of a camera capturing thesecond image as the positional relation, and a second method fordetermining a distance between the living body portion and the anotherliving body portion as the positional relation.
 2. The biometricauthentication device according to claim 1, wherein the method isselected from among the plurality of methods based on one of a pluralityof security levels.
 3. The biometric authentication device according toclaim 2, wherein the memory is configured to store correspondenceinformation that indicates correspondence between each one of theplurality of methods and each of the plurality of security levels, andwherein the processor is further configured to display the plurality ofmethods acquired from a database, and select the method based on aninput.
 4. The biometric authentication device according to claim 1,wherein the living body portion is a finger or fingerprint, and whereinthe another living body portion is a palm or palm vein.
 5. The biometricauthentication device according to claim 4, wherein the processor isfurther configured to display a message instructing a posture of thefinger or the palm at the time of imaging before the first image and thesecond image are imaged.
 6. The biometric authentication deviceaccording to claim 1, wherein the processor is configured to acquire thefirst image from another camera, and the second image from the cameradisposed at a certain distance from the another camera.
 7. The biometricauthentication device according to claim 6, wherein the another cameraand the camera are controlled so as to perform imaging at the sametiming.
 8. The biometric authentication device according to claim 6,wherein the camera is controlled so as to perform imaging after imagingby the another camera.
 9. The biometric authentication device accordingto claim 1, wherein the processor is configured to determine whether thesecond biometric information is derived from the user corresponding tothe first biometric information, when a first random code displayed atthe time of acquiring the first biometric information agrees with asecond random code acquired from the second image.
 10. A biometricauthentication method executed by a processor, comprising: generatingfirst biometric information based on a first image of a living bodyportion, generating second biometric information based on a second imageof another living body portion, when authentication with the firstbiometric information has been successful, identifying, by theprocessor, a positional relation between the living body portion and theanother living body portion using a method from among a plurality ofmethods, determining whether or not the positional relation satisfies acondition, determining the second biometric information is from a usercorresponding to the first biometric information when it is determinedthat the positional relation satisfies the condition; and registeringthe second biometric information associated with the user, wherein theplurality of methods include a first method for determining aninclination of the another living body portion as to an imaging plane ofa camera capturing the second image as the positional relation, and asecond method for determining a distance between the living body portionand the another living body portion as the positional relation.
 11. Abiometric authentication device comprising: a memory; and a processorcoupled to the memory and configured to: generate first biometricinformation based on a first image of a living body portion, generatesecond biometric information based on a second image of another livingbody portion, authenticate that the first biometric informationcorresponds to a user, when the first biometric information isauthenticated, identify a positional relation between the living bodyportion and the another living body portion using a method from among aplurality of methods, determine whether or not the positional relationsatisfies a condition, determine the second biometric information isfrom the user corresponding to the first biometric information when itis determined that the positional relation satisfies the condition, andadd the second biometric information associated with the first biometricinformation, wherein the plurality of methods include a first method fordetermining an inclination of the another living body portion as to animaging plane of a camera capturing the second image as the positionalrelation, and a second method for determining a distance between theliving body portion and the another living body portion as thepositional relation.
 12. The biometric authentication device accordingto claim 11 further determines the second biometric information is fromthe user by acquiring a checkpoint list and checking points in thecheckpoint list.